<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openitcockpit - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/openitcockpit/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/openitcockpit/feed.xml" rel="self" type="application/rss+xml"/><item><title>openITCOCKPIT Command Injection Vulnerability (CVE-2026-24893)</title><link>https://feed.craftedsignal.io/briefs/2024-01-openitcockpit-command-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openitcockpit-command-injection/</guid><description>openITCOCKPIT Community Edition before 5.5.2 is vulnerable to command injection, allowing authenticated users with host modification privileges to execute arbitrary OS commands on the monitoring backend via crafted host attributes in monitoring command templates.</description><content:encoded><![CDATA[<p>openITCOCKPIT is an open-source monitoring tool used for various monitoring engines. A critical command injection vulnerability, identified as CVE-2026-24893, affects openITCOCKPIT Community Edition versions prior to 5.5.2. This vulnerability allows an authenticated user with the permission to add or modify hosts to execute arbitrary operating system commands on the monitoring backend. The root cause lies in the insecure handling of user-controlled host attributes, specifically the host address. These attributes are expanded into monitoring command templates without proper validation, escaping, or quoting. This lack of input sanitization allows attackers to inject malicious commands. Successful exploitation results in remote code execution on the openITCOCKPIT server. Organizations using vulnerable versions of openITCOCKPIT are at high risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user logs into the openITCOCKPIT web interface with privileges to modify host configurations.</li>
<li>The attacker navigates to the host configuration panel and selects to add or modify a host.</li>
<li>The attacker enters a malicious payload within the host address field, injecting OS commands (e.g., <code>127.0.0.1; whoami &gt; /tmp/poc.txt</code>).</li>
<li>openITCOCKPIT stores the crafted host address without proper sanitization.</li>
<li>The monitoring engine (Nagios/Icinga) processes the host configuration, expanding the host address into a monitoring command template.</li>
<li>The monitoring engine executes the template via a shell. The injected OS command within the host address is executed due to the lack of escaping or quoting.</li>
<li>The injected command executes on the openITCOCKPIT server with the privileges of the monitoring engine.</li>
<li>The attacker gains remote code execution, potentially leading to further compromise of the system and network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-24893 allows attackers to execute arbitrary operating system commands on the openITCOCKPIT server. This could lead to complete system compromise, data exfiltration, and potentially lateral movement within the network. The vulnerability affects all installations of openITCOCKPIT Community Edition prior to version 5.5.2. Organizations relying on openITCOCKPIT for critical infrastructure monitoring are at significant risk of disruption and data loss.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade openITCOCKPIT to version 5.5.2 or later to patch CVE-2026-24893.</li>
<li>Implement the Sigma rule <code>openitcockpit_command_injection_process</code> to detect potential exploitation attempts by monitoring process creation events.</li>
<li>Review and restrict user permissions within openITCOCKPIT to limit the number of accounts capable of modifying host configurations.</li>
<li>Deploy the Sigma rule <code>openitcockpit_command_injection_web</code> and tune for your environment to detect possible command injection attempts through web server logs.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>openitcockpit</category></item></channel></rss>